Don't allow reassembly to create packets bigger than IP_MAXPACKET, and count

	attempts to do so.
Don't allow users to source packets bigger than IP_MAXPACKET.
Make UDP length and ipovly's protocol length unsigned short.

Reviewed by:	wollman
Submitted by:	(partly by) kml@nas.nasa.gov (Kevin Lahey)

5 files changed, 32 insertions, 8 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index d5c904d..cfe1d4a 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- * $Id: ip_input.c,v 1.48 1996/10/07 19:21:45 wollman Exp $
+ * $Id: ip_input.c,v 1.49 1996/10/22 22:25:58 sos Exp $
  *	$ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $
  */
 
@@ -646,7 +646,17 @@ insert:
 		return (0);
 
 	/*
-	 * Reassembly is complete; concatenate fragments.
+	 * Reassembly is complete.  Make sure the packet is a sane size.
+	 */
+	if (next + (IP_VHL_HL(((struct ip *)fp->ipq_next)->ip_vhl) << 2)
+							> IP_MAXPACKET) {
+		ipstat.ips_toolong++;
+		ip_freef(fp);
+		return (0);
+	}
+
+	/*
+	 * Concatenate fragments.
 	 */
 	q = fp->ipq_next;
 	m = dtom(q);
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index d71008f..59b3df8 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_var.h	8.2 (Berkeley) 1/9/95
- *	$Id: ip_var.h,v 1.22 1996/10/15 16:54:47 bde Exp $
+ *	$Id: ip_var.h,v 1.23 1996/10/23 18:35:50 wollman Exp $
  */
 
 #ifndef _NETINET_IP_VAR_H_
@@ -44,7 +44,7 @@ struct ipovly {
 	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
 	u_char	ih_x1;			/* (unused) */
 	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
+	u_short	ih_len;			/* protocol length */
 	struct	in_addr ih_src;		/* source internet address */
 	struct	in_addr ih_dst;		/* destination internet address */
 };
@@ -146,6 +146,7 @@ struct	ipstat {
 	u_long	ips_noroute;		/* packets discarded due to no route */
 	u_long	ips_badvers;		/* ip version != 4 */
 	u_long	ips_rawout;		/* total raw ip packets generated */
+	u_long	ips_toolong;		/* ip length > max ip packet size */
 };
 
 #ifdef KERNEL
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index f55f7b4..21ef2f9 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ip.c,v 1.35 1996/08/27 20:52:27 sos Exp $
+ *	$Id: raw_ip.c,v 1.36 1996/10/07 19:21:46 wollman Exp $
  */
 
 #include <sys/param.h>
@@ -165,6 +165,10 @@ rip_output(m, so, dst)
 	 * Otherwise, allocate an mbuf for a header and fill it in.
 	 */
 	if ((inp->inp_flags & INP_HDRINCL) == 0) {
+		if (m->m_pkthdr.len + sizeof(struct ip) > IP_MAXPACKET) {
+			m_freem(m);
+			return(EMSGSIZE);
+		}
 		M_PREPEND(m, sizeof(struct ip), M_WAIT);
 		ip = mtod(m, struct ip *);
 		ip->ip_tos = 0;
@@ -175,6 +179,10 @@ rip_output(m, so, dst)
 		ip->ip_dst.s_addr = dst;
 		ip->ip_ttl = MAXTTL;
 	} else {
+		if (m->m_pkthdr.len > IP_MAXPACKET) {
+			m_freem(m);
+			return(EMSGSIZE);
+		}
 		ip = mtod(m, struct ip *);
 		/* don't allow both user specified and setsockopt options,
 		   and don't allow packet length sizes that will crash */
diff --git a/sys/netinet/udp.h b/sys/netinet/udp.h
index d47ea91..3aeb522 100644
--- a/sys/netinet/udp.h
+++ b/sys/netinet/udp.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)udp.h	8.1 (Berkeley) 6/10/93
- * $Id: udp.h,v 1.2 1994/08/02 07:49:22 davidg Exp $
+ * $Id: udp.h,v 1.3 1994/08/21 05:27:41 paul Exp $
  */
 
 #ifndef _NETINET_UDP_H_
@@ -44,7 +44,7 @@
 struct udphdr {
 	u_short	uh_sport;		/* source port */
 	u_short	uh_dport;		/* destination port */
-	short	uh_ulen;		/* udp length */
+	u_short	uh_ulen;		/* udp length */
 	u_short	uh_sum;			/* udp checksum */
 };
 
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 0d6994f..4c3c62f 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)udp_usrreq.c	8.6 (Berkeley) 5/23/95
- *	$Id: udp_usrreq.c,v 1.28 1996/06/08 08:19:03 bde Exp $
+ *	$Id: udp_usrreq.c,v 1.29 1996/10/07 19:06:12 davidg Exp $
  */
 
 #include <sys/param.h>
@@ -445,6 +445,11 @@ udp_output(inp, m, addr, control)
 	if (control)
 		m_freem(control);		/* XXX */
 
+	if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) {
+		error = EMSGSIZE;
+		goto release;
+	}
+
 	if (addr) {
 		laddr = inp->inp_laddr;
 		if (inp->inp_faddr.s_addr != INADDR_ANY) {